Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix and VPN Concentrator

WE have a PIx firewall in place with an outside address We also have a 3015 concentrator that is directly connected outside with a public IP address of Network Layout...

Internet--Router--switch--Pix------Switch---INternal |


|-----VPN 3015 Public INT

Can I attached our VPN 3015 to the Pix so I can protect it?

New Member

Re: Pix and VPN Concentrator

Here is a solution:

Place your VPN concentrator's public interface behind your perimeter router and create a "dirty dmz" - using ACL's to control specific traffic to the concentrator. Then, put the the private interface of the concentrator in your DMZ, off of the PIX. If you are using CBAC on your perimeter router, you can really tighten it up.

This is the way I have my VPN setup. It allows only VPN traffic to the public interface. And, since the private interface terminates in the DMZ, I have 2 ways of controlling what comes out of the VPN tunnel - ACL's pushed from policies on the concentrator and ACL's on the PIX. Probably an overkill, but it's a very secure environment.


CreatePlease to create content